In a prior lab, “Dell Force10 Z9000 – Creating Additional Layer 2 Isolation via Private VLANs“, I demonstrated some basics in regards to private VLANs. In this lab, I plan to go a little further and demonstrate how hosts in the same private VLANs (PVLANs) on two different switches can communicate with each other.
In this lab, I use two Dell Force10 Z9000 switches [FTOS 8.3.11.2] for all my PVLAN and trunking configurations. The other switches, I am simply using as end devices with IPs configured on the respective interfaces. These other switches include Dell Force10 S50V [FTOS 8.3.2.0], Dell Force10 S60 [FTOS 8.3.3.7], and Dell Force10 S4810 [FTOS 8.3.10.1].
Below is the network diagram for this lab.
Force10_Z9000_1
– enable
– conf
– int tengigabitethernet 0/8
– switchport
– switchport mode private-vlan trunk
– no shut
– int tengigabitethernet 0/4
– switchport
– switchport mode private-vlan host
– no shut
– int vlan 2
– private-vlan mode primary
– private-vlan mapping secondary-vlan 10
– private-vlan mapping secondary-vlan 20
– tagged tengigabitethernet 0/8
– ip address 10.0.0.1/24
– no shut
– int vlan 10
– private-vlan mode community
– untagged tengigabitethernet 0/4
– no shut
– int vlan 20
– private-vlan mode community
– no shut
– end
– write
Force10_Z9000_2
– enable
– conf
– int tengigabitethernet 0/8
– switchport
– switchport mode private-vlan trunk
– no shut
– int tengigabitethernet 0/4
– switchport
– switchport mode private-vlan host
– no shut
– int tengigabitethernet 0/5
– switchport
– switchport mode private-vlan host
– no shut
– int vlan 2
– private-vlan mode primary
– private-vlan mapping secondary-vlan 10
– private-vlan mapping secondary-vlan 20
– tagged tengigabitethernet 0/8
– ip address 10.0.0.1/24
– no shut
– int vlan 10
– private-vlan mode community
– untagged tengigabitethernet 0/4
– no shut
– int vlan 20
– private-vlan mode community
– untagged tengigabitethernet 0/5
– no shut
– end
– write
Now that everything is configured, I try pinging both the S60 (10.0.0.4/24) and S4810 (10.0.0.5/24) from the S50V (10.0.0.3/24). Although the S60 is connected to the second Z9000 (Force10_Z9000_2) whereas the S50V is connected to the first Z9000 (Force10_Z9000_1), since we have configured a trunk port to carry the private VLAN traffic, the two switches should be able to ping each other since they reside in the same private VLAN (PVLAN 10).
However, since the S4810 resides in a different private VLAN (PVLAN 20), the S50V and S4810 should not be able to ping each other. As you can see below, this is exactly the case. Further, notice how the S4810 can still ping both Z9000’s (10.0.0.1/24 and 10.0.0.2/24), but not the S50V (10.0.0.3/24).